Administrator account with no password

  • Section(s): Security , Network and Security
  • Published on Jan 04, 2006.
  • Last Modified on Jan 04, 2006.
  • Last Modified by Mitch Tulloch.
  • Rated 2.1 out of 5 based on 8 votes.
While conventional wisdom is that Administrator accounts should have long, complex passwords, this is not always so...

While conventional wisdom is that Administrator accounts should have long, complex passwords, this is not always so. Beginning with Windows XP, if a user account has no password then it can only be used for local console (interactive) logons. In other words, you can't use it for accessing the machine over the network. You also can't use it with the Runas command to run applications with admin credentials during an ordinary user session. The downside of course is that if the physical security of your computer is compromised (i.e. if someone else can sit down at the console and press CTRLK+ALT+DEL) then it's trivially easy to gain admin-level control over your machine. So why would you ever want to have an admin account with no password?

One simple scenario might be in a small office or home office where your XP machines belong to a workgroup. In that case, you can do the following:

  • Create a local user account for each user and assign them a password (or no password if you trust everyone in your office)
  • Leave the password for the local Administrator account on each machine set to null (i.e. no password).
  • Enable Fast User Switching

Then educate your users by telling them that they should use their local Administrator account only installing new programs that are deemed safe to install, for configuring the few Control Panel applets that require admin creds to work, and a few other tasks you specify. And to make sure they recognize when they're logged on as admin, change the theme for the Administrator desktop to Classic Windows.

Now the user only has to press Windows Key + L in order to switch between their ordinary user session (which they user for doing work, checking email, browsing the web and so on) and their admin desktop (which they only occasionally need for the purposes listed above). This is a lot easier than (a) teaching ordinary users how to use runas.exe and (b) logging on as admin for them when they need an admin-level task performed.

Will this work in a domain scenario? I wouldn't recommend it, since a compromised desktop could be used to launch an attack against a domain controller. But in a workgroup environment this can make your life easier as a network administrator. Just be sure to have a good lock on your door and hire only people you trust!

About Mitch Tulloch

Mitch Tulloch was lead author for the Windows Vista Resource Kit from Microsoft Press, which is the book for IT pros who want to deploy, maintain and support Windows Vista in mid- and large-sized network environments. Mitch was also the author of Introducing Windows Server 2008 and technical project lead for the Microsoft Office Communications Server 2007 Resource Kit, both books also from Microsoft Press. For more information on these and other books by Mitch, see www.mtit.com .

Share this article


Article not looking right or info is missing? Let us know so that we can fix it: .


Receive all the latest articles by email!

Receive Real-Time & Monthly WindowsNetworking.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowsNetworking.com member!

Discuss your network issues with thousands of other network administrators. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred Data Recovery solution?